Stop committing secrets

Voiced by Amazon Polly

Anything that is secret or varies per environment is configuration (though not all configuration is secret). Configuration should never be part of the application. Therefore it doesn’t belong in version control and should never be committed. Inject these arguments dynamically as part of a CI / CD workflow and never expose them to the client.


As with all software development, there are many ways to skin this cat and the best option for a given situation will depend on the time we’re given to implement it, the tools we have at our disposal, the type of arguments we’re storing, and our level of CI / CD adoption.

What we want to end up with is a dynamic, private configuration that is stored securely. The following are all much better options than simply hardcoding things directly in the application but an important prerequisite is that anywhere a secret or configuration is used in the app should be replaced with a dynamic reference to it using something like dotenv or phpdotenv.

A few places they shouldn’t be:

  1. Version control (Git, SVN etc).
  2. Memorized.
  3. Only in one place.
  4. In the browser (JavaScript etc).
  5. Emailed.

A few places they could be:

  1. In a secret manager like AWS Secrets Manager or Parameter Store
  2. Included in a Continuous Deployment workflow like Bitbucket Environment Variables
  3. A private file in S3
  4. A private file hosted by the enterprise that is requested during a build

Enforce the Principle of Least Privilege in all applications and follow the 12 Factor App principle and keep secrets secret, and separate configs from application code.

Leave a Reply

Your email address will not be published.